Scoring & Maturity
How PipeGuard calculates dual scores and maps them to DevSecOps maturity levels.
Dual Scoring System
PipeGuard calculates two independent scores for each scanned file:
| Score | Range | What It Measures |
|---|---|---|
| Security Score | 0 — 100 | Presence of security stages, secret management, vulnerability scanning, deployment gates, governance |
| Quality Score | 0 — 100 | Pipeline reliability, caching, retries, naming conventions, artifact management, structure |
Both scores start at 100 and are deducted based on violations found. Each rule has a point deduction value based on its severity.
Point Deductions
| Severity | Deduction | Example |
|---|---|---|
| CRITICAL | 3 — 5 pts | Hardcoded secrets, no secret scanning, FROM :latest |
| HIGH | 2 — 3 pts | No Vault integration, npm install instead of npm ci |
| MEDIUM | 1 — 2 pts | Missing cache, no retry on flaky stages |
| LOW | 1 pt | Naming conventions, missing comments |
| INFO | 0 pts | Best practice suggestions (informational only) |
Scores never go below 0. A file with many critical violations will score 0/100.
Score Types per Rule
Each rule deducts from either Security or Quality:
| Category | Deducts From |
|---|---|
| SEC (Secret Management) | Security |
| SAS (Static Analysis) | Security |
| SCA (Supply Chain) | Security |
| DST (Dynamic Testing) | Security |
| DEP (Deployment) | Security |
| GOV (Governance) | Security |
| JEN (Jenkinsfile) | Security |
| DOC (Dockerfile) | Security |
| PQL (Quality) | Quality |
Maturity Levels
The Security Score maps to a DevSecOps maturity level (0-5):
| Level | Name | Score Range | Description |
|---|---|---|---|
| 0 | None | 0 — 19 | No security stages. Pipeline is completely unprotected. |
| 1 | Basic | 20 — 39 | Some security tools present but not blocking. Reports generated but not acted on. |
| 2 | Developing | 40 — 59 | Security stages exist and some block. Major gaps remain in coverage. |
| 3 | Defined | 60 — 79 | Defense in depth partially implemented. Most critical checks in place. |
| 4 | Managed | 80 — 94 | Strong security posture. Centralized tracking, governance enforced. |
| 5 | Optimized | 95 — 100 | Full DevSecOps maturity. Audit-ready. Top 1% of organizations. |
Example Output
terminal--------------------------------------------------------------------
RESULTS
--------------------------------------------------------------------
Files scanned: 4
Violations: 161 (16 critical, 35 high, 90 medium, 20 low)
Auto-fixable: 150/161
.gitlab-ci.yml SECURITY 9/100 Level 0 — None
QUALITY 41/100 Level 2 — Developing
Dockerfile SECURITY 40/100 Level 2 — Developing
Jenkinsfile SECURITY 59/100 Level 2 — Developing
Improving Your Score
Use --fix to see exactly what to change:
shell$ pipeguard scan . --fix --severity critical,high
Focus on critical violations first — they have the highest point deductions. A single hardcoded secret (R03) costs 5 points.
Tip: Run PipeGuard in CI and track your score over time. A score of 80+ (Level 4: Managed) is a strong target for production pipelines.